Lately I am concerned that after connecting a user can change (spoof) its IP address and basically make the firewall rules useless.

1. Do you know if this is actually possible? Are there any technical limitations that would prevent client with spoofed IP from sending/receiving traffic?

2. If this is possible how would you improve the security?
As you know having firewall rules filtering based on dynamic interface names like <ovpn-username001> doesn't work. May be having a ppp profile up&down scripts that are adding firewall rules based on dynamic interface names is one possible solution. Any other ideas?

Thank you in advance!

Last edited by ros44 on Mon Sep 03, 2018 11:32 am, edited 1 time in total.

I did the test below and I can confirm that spoofing is possible and works very well.
(Please, correct me if "spoofing" is not the right term for this.)

1. From a Win10 PC with an OpenVPN client I connected to my VPN router. I got the address 10.11.12.101 (the one statically assigned for username001 in /ppp secrets).
2. Then on the Win10 command prompt I changed the address of my TAP VPN interface:

My router's firewall rules allow full access from 10.11.12.50. At this moment the access to the internal resources didn't work. The reason is that there was no routing for 10.11.12.50.

Once I added a routing for 10.11.12.50 via <ovpn-username001> interface everything worked like a charm.

Consequently if the spoofed IP is a public IP address and the firewall rules are not well designed there is possibility a spoofed request to come from a VPN interface and the reply to be routed via the WAN interface to the public IP of the attacker.

---

So this brings me to the conclusion that the firewall rules must explicitly accept requests from the VPN interfaces that are only originating from the VPN pool.

Last edited by ros44 on Thu Sep 06, 2018 10:52 am, edited 1 time in total.

VPN works well not because of IP addresses, but because of high security of hash and encrypting protocols like DF key exchange and aes flow encryption. Before attacker will have your IP address he have to break this key and data encr. If these IPs exist in broadcast network, you have to defend yourself on switch level.

Correct regarding protection from 3rd party attacks, but sometimes you need to restrict where even legal VPN clients can get in your network. Whereas e.g. an l2tp server can be set up to link a static interface name to a particular user name, such possibility does not exist for openvpn server, so the only client-related information you can refer to in firewall rules is the IP address assigned to the client. And if the client can replace the assigned address by another one, the firewall rules will see that forged address. It is actually not much of a problem given that such "semi-insider attacker" would have to modify the routing on the server in order to start receiving the response packets, but it does expose some attack surface to exploit some possible vulnerability.

Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

@sindy, thank you for confirming what I've discovered and was worrying me: a legitimate VPN user to start messing around.

A guy from the scripting section of the forum pointed me out that in every ppp profile there are many options to be used so that the ppp interface is dynamically added to an interface list, address list, incoming, outgoing filters. It is up to the firewall policy how this tools can be used. For me this are the tools to mitigate the risk.